Guidelines, Standards and Laws

Information security is everybody's responsibility!

Confidential information, educational records and user accounts are governed by federal and state laws and regulations, the CSU Information Security Policy and Chancellor’s executive orders, and University guidelines, standards and Administrative Policies and Procedures.

IT Security and Compliance is responsible for coordinating the development and dissemination of information security guidelines, standards and procedures for the University. See the links below to access CSU policy and University guidelines, standards and procedures.

Confidential Information - Descriptions and Examples

Level 1 Confidential Data

Description

Level 1 Confidential Data is information maintained by the University that is exempt from disclosure under the provisions of the California Public Records Act or other applicable state or federal laws.  Its unauthorized use, access, disclosure, acquisition, modification, loss, or deletion could result in severe damage to the CSU, its students, employees or customers.  Financial loss, damage to the CSU’s reputation and legal action could occur if data is lost, stolen, unlawfully shared or otherwise compromised.

Level 1 data is intended solely for use within the CSU and limited to those with a “business need-to-know.”  Statutes, regulations, other legal obligations or mandates protect much of this information.  Disclosure of Level 1 data to persons outside of the University is governed by specific standards and controls designed to protect the information.

Confidential information must be interpreted in combination with all information contained on the computer or electronic storage device to determine whether a violation has occurred.

Level 1 access will be granted on a strict “need-to-know” basis only and will be restricted to authorized staff and other participants who have executed an approved Non-Disclosure Agreement (NDA).  This information includes organization contact lists, internal processing procedures, employee schedules and other information required to function within the organization but too sensitive to release to the public.

Examples (note: list provides examples and is not all-inclusive)

  • Passwords or credentials
  • PINs (Personal Identification Numbers)
  • Birth date combined with the last four digits of SSN and name
  • Credit card numbers with cardholder name or expiration date and/or card verification code
  • Tax ID with name
  • Driver’s license number, state identification card and other forms of national or international identification (such as passports, visas, etc.) in combination with name
  • Social Security number and name
  • Health insurance information with name
  • Medical records related to an individual
  • Psychological counseling records related to an individual
  • Bank account or debit card information in combination with any required security code, access code, or password that would permit access to an individual’s financial account
  • Electronic or digitized signatures
  • Private key (digital certificate)
  • Vulnerability/security information related to a campus or system
  • Attorney/client communications
  • Legal investigations conducted by the University
  • Third-party propriety information per contractual agreement
  • Sealed bids
  • Employee name with personally identifiable employee information
    • Biometric information
    • Electronic or digitized signatures
    • Personal characteristics

Level 2 Internal Use Data

Description

Internal use data is information that must be protected due to proprietary, ethical or privacy considerations.  Although not specifically protected by statute, regulations or other legal obligations or mandates, unauthorized use, access, disclosure, acquisition, modification, loss or deletion of information at this level could cause financial loss, damage to cause financial loss, damage to the CSU’s reputation, violate an individual’s privacy rights or make legal action necessary.

Non-directory educational information may not be released except under certain prescribed conditions.

Level 2 access will be granted on a strict “need-to-know” basis only and will be restricted to authorized staff and other participants who have executed an approved Non-Disclosure Agreement (NDA).  This information includes organization contact lists, internal processing procedures, employee schedules and other information required to function within the organization but too sensitive to release to the public.

Examples (note: list provides examples and is not all-inclusive)

  • Identity Validation Keys (name with)
    • Birth date (full: mm-dd-yy)
    • Birth date (partial: mm-dd only)
  • Student name with personally identifiable education records
    • Grades
    • Courses taken
    • Schedule
    • Test scores
    • Advising records
    • Educational services received
    • Disciplinary actions
  • Employee Information
    • Employee net salary
    • Employment history
    • Home address
    • Personal telephone numbers (including emergency contacts)
    • Personal e-mail address
    • Payment History
    • Employee evaluations
    • Disciplinary actions
    • Background investigations
    • Mother’s maiden name
    • Race and ethnicity
    • Parents and other family members names
    • Birthplace (city, state, country)
    • Gender
    • Marital Status
    • Physical description
    • Photograph (voluntary for public display)
  • Other
    • Donor name, address, phone, email and giving amount
    • Library circulation information
    • Trade secrets or intellectual property such as research activities
    • Location of critical or protected assets
    • Licensed software

Level 3 Public Information

Description

This is information that is generally regarded as publicly available.  Information at this level is either explicitly defined as public information or intended to be available to individuals both on and off campus or not specifically classified elsewhere as Level 1 or Level 2.

Knowledge of this information does not expose the CSU to financial loss or jeopardize the security of the CSU’s information assets. 

Publicly available data may still be subject to appropriate campus review or disclosure procedures to mitigate potential risks of inappropriate disclosure.

 1 Cal State LA may disclose “Directory Information” without prior written consent of the student.  However, at any time the student may exercise the option to consider this information confidential by completing the Releasing Student “Directory Information” to Outside Agencies form and submitting it to the Records Office, ADM 409.  All requests to obtain student directory information must be directed to the Records Office, ADM 409.

Examples (note: list provides examples and is not all-inclusive)

  • Campus Identification Keys
    • Campus identification number
    • User ID (do not list in a public or a large aggregate list where it is not the same as the student email address)
    • Email
  • Student Information 1

  Educational directory information    (FERPA) includes:

  • Name
  • Address
  • Telephone number
  • Email address
  • Photograph
  • Major field of study
  • Participation in officially recognized activities and sports
  • Height and weight of members of athletic teams
  • Dates of attendance
  • Grade level
  • Enrollment status
  • Degrees, honors and awards received
  • Most recent previous educational agency or institution attended by the student

      Bargaining unit student employee directory information

  • Name of the department employing the student
  • The student employee’s telephone number within the department
  • The student employee’s email address within the department
  • The student employee’s job classification
  • Employee Information (including student employees)
    • Employee title
    • Status as student employee (such as TA, GA, ISA)
    • Employee campus email address
    • Employee work location and telephone number
    • Employing department
    • Employee classification
    • Employee gross salary
    • Name (first, middle, last) (except when associated with protected data)
    • Signature (non-electronic)
  • Donor Information
    • Constituent code
    • Class, degree, academic organization, major
    • Employment information defined above
    • Job title

The CSU Information Security Policy provides high-level direction for managing and protecting the confidentiality, integrity and availability of CSU information assets. In addition, the policy defines the organizational scope of the CSU information Security Policy.

Executive Orders (EO) are formal orders issued by the California State University Chancellor to direct the establishment of campus programs and procedures, and provide guidance in the development and implementation of such programs.

Standards define the minimum requirements necessary to address information security risks and the specific requirements that ensure compliance with legal regulations, CSU policy and information security best practices. Standards represent the minimum basis upon which Board of Trustee’s audits are based. Standards undergo a formal review and approval process prior to publication.

User Guidelines provide general recommendations and instructions for campus users to comply with information security standards and the CSU Information Security Policy. They are often more technical in nature than policies and standards, and are created and updated as needed to account for changes in technology, regulations or University practices, User guidelines undergo a formal review and approval process prior to publication.

Procedures are step-by-step instructions for accomplishing specific tasks and often include recommended tools for performing those tasks. Procedures are informal documents with no impact on users and therefore, undergo only an internal technical review and approval process prior to publication.

Cal State LA Information Security Framework


Information Security Management

Document Title Type Status Last Revised

ITS-2524

Cal State LA Information Security Program Policy Interim 2/9/2017
ICSUAM 8015.S000

CSU Information Security Roles and Responsibilities (public) (intranet)

Standard Final 11/5/2013
ICSUAM 8045.0 CSU Information Technology Security Policy Final 4/19/2010
ICSUAM 8015.0 CSU Organizing Information Security Policy Final 4/19/2010

ITS-2005-S

Information Security Roles and Responsibilities

Standard

Final 7/22/2011

TOP

Asset Management

Document Title Type Status Last Revised

ITS-1025-G

Collecting and Processing Credit Card Information Guideline Final 9/19/2012

ICSUAM

8070.S000

CSU Application Security Standard Final 3/3/2014
ICSUAM 8055.0 CSU Change Control Policy Final 4/19/2010
ICSUAM 8055.S01 CSU Change Control Standard Final 9/28/2011
ICSUAM 8065.S003 CSU Cloud Storage and Services Standard Final 10/2/2017
ICSUAM 8050.S100 CSU Configuration Management - Common Workstation Standard Standard Final 7/13/2015
ICSUAM 8050.S200 CSU Configuration Management - High-Risk/Critical Workstation Standard Standard Final 6/4/2015
ICSUAM 8065.0 CSU Information Asset Management Policy Final 4/19/2010
ICSUAM 8065.S001

CSU Information Security Asset Management (public) (intranet)

Standard Final 7/16/2013

ICSUAM 8065.S02

CSU Information Security Data Classification (public) (intranet)

Standard Final 9/28/2011

ITS-1021-G

Data Sanitization Guideline Final 4/13/2016

ITS-1027-G

Encryption Security Guideline Final 12/11/2014
EO 999 Illegal Electronic File Sharing and Protection of Electronic Copyrighted Material EO Final 2/27/2008
ITS-2006-S

Information Classification, Handling and Disposal

Level 1 Confidential Data - Examples

Level 2 Internal Use Data - Examples

Level 3 Public Information - Examples

Standard Final 6/22/2017
ITS-1020-G Mobile Computing Guideline Final 2/15/2012
ITS-1005-G Portable Electronic Storage Media Guideline Final 3/4/2008
EO 796 Privacy and Personal Information Management Student Records EO Final 1/1/2002
ITS-1016-G Protecting Electronic Copyrighted Material Guideline Final 4/5/2017
AP 707 Records Retention, Management and Disposition Program Procedure Final 5/13/2011
ITS-1017-G Safe Disposal of Electronic Storage Media Guideline Final 2/3/2011
ITS-2021-S Securing Workstation Documents Standard Final 6/22/2017
AP 011 Student Records Administration Procedure Final 9/23/2005
EO 1031 Systemwide Records/Information Retention and Disposition Schedules Implementation EO Final 2/27/2008
EO 926 The California State University Policy on Disability Support and Accommodations EO Final 2/27/2008
ITS-2013-S Utilization of Multi-function Devices Standard Final 5/2/2012
ITS-2019-P Vulnerability Management for Servers Procedure Final 2/15/2017

TOP

Employee Security Management

Document Title Type Status Last Revised
AP 311 Criminal Records Check Procedure Final 2/21/2012
ICSUAM 8035.0 CSU Information Security Awareness and Training Policy Final 4/19/2010
ICSUAM 8035.S000

CSU Information Security Awareness and Training (public) (intranet)

Standard Final 7/16/2013
ICSUAM 8045.S400

CSU Mobile Device Management (public) (intranet)

Standard Final 7/16/2013
ICSUAM 8030.S000

CSU Personnel Security (public) (intranet)

Standard Final 7/16/2013
ICSUAM 8025.00 CSU Privacy of Personal Information (public)(intranet) Policy Final 4/19/2010
ICSUAM 8105.00

CSU Responsible Use Policy (public) (intranet)

Policy Final 11/20/2013
AP 312 Fingerprint Procedure Procedure Final 4/26/2010
ITS-1009-G Separated Employees' Network/E-mail Access Guideline Final 8/26/2006

TOP

Physical Security Management

Document Title Type Status Last Revised
ICSUAM 8080.0 CSU Physical Security Policy Final 4/19/2010
ICSUAM 8080.S01

CSU Physical and Environmental Security (public) (intranet)

Standard Final 9/28/2011
ITS-1013-G Data Center/Communication Room Access Guideline Final 9/26/2013
ITS-1006-G Securing Offices, Workspaces, and Documents Guideline Final 5/21/2008

TOP

Communications Management

Document Title Type Status Last Revised
ITS-1000-G Electronic Communications Guideline Final 9/2/2015

TOP

Network Management

Document Title Type Status Last Revised
ITS-1001-G Network Traffic Management Guideline Final 5/28/2008
ITS-1015-G Wireless Access Guideline Final 5/17/2017

TOP

Access Control

Document Title Type Status Last Revised
ITS-1014-G Access to Administrative Information Systems Guideline Final 4/24/2013
ITS-2007-P Administrative Systems Access Controls and Segregation of Duties Review Procedure Final 12/20/2012
ICSUAM 8060.0 CSU Access Control Policy Final 4/19/2010
ICSUAM 8060.S000

CSU Access Control (public) (intranet)

CSU Access Control - Appendix A - Compliant Password Examples (public) (intranet)

Standard Final 6/5/2012
ICSUAM 8100.0 CSU Electronic and Digital Signatures Policy Final 12/5/2012
ICSUAM 8100.S01

CSU Electronic and Digital Signature Standards and Procedures (public) (intranet)

Standard Final 5/21/2012

ICSUAM

8045.S600

CSU Logging Elements Standard Final 3/3/2014
ICSUAM 8045.S302

CSU Remote Access to CSU Resources (public) (intranet)

Standard Final 7/16/2013
ITS-2015-S Identity and Access Management Standard Standard Interim 5/2/2013
ITS-1012-G Oracle Access Guideline Interim 5/30/2008
ITS-2008-S Password Standards Standard Interim

2/9/2017

ITS-5002-S PeopleSoft User IDs and Passwords Standard Final 6/24/2010
ITS-1032-G Securing Shared Computing Resources Guideline Final 3/18/2015
ITS-2011-S User Access Controls and Risk Management for Decentralized Systems Standard Interim 2/9/2017

TOP

Business Continuity Management

Document Title Type Status Last Revised
EO 1014 CSU Executive Order - Business Continuity Program EO Final 10/8/2007
ICSUAM 8085.0 CSU Business Continuity and Disaster Recovery Policy Final 4/19/2010
ITS-9506-Web ITS Business Continuity Plan Document Final 6/23/2017
ITS-7502-Web ITS Disaster Recovery Plan Document Final 6/26/2017

TOP

Computer Security Incident Response Management

Document Title Type Status Last Revised
ITS-2511 Computer Security Incident Response Team (CSIRT) Standard Final 5/3/2017
ICSUAM 8075.0 CSU Information Secuity Incident Management Policy Final 4/19/2010
ICSUAM 8075.S000

CSU Information Security Incident Management (public) (intranet)

Standard Final 7/16/2013
ITS-2018-P Electronic Security Incident Reporting Procedure Final 1/29/2015
ITS-1008-G Reporting a Lost or Stolen Computer or Electronic Storage Device Guideline Final 5/2/2005

TOP

IT Project and Procurement Management

Document Title Type Status Last Revised
ICSUAM 8055.S01

CSU Change Control (public) (intranet)

Standard Final 3/11/2011
ICSUAM 8065.S003 CSU Cloud Storage and Services Standard Final 10/2/017
EO 862 CSU Executive Order - Information Technology Project Management EO Final 4/18/2003
ICSUAM 8040.0 CSU Managing Third Parties Policy Final 4/19/2010
ICSUAM 8040.S001

CSU Third Party Security (public) (intranet)

Standard Final 6/13/2012
ITS-1022-G Information Security Contract Language Guideline Final 5/27/2015
ITS-1004-G IT Project and Procurement Guideline Final 10/24/2013

TOP

Information Security Risk Management

Document Title Type Status Last Revised
ITS-1025-G Collecting and Processing Credit Card Information Guideline Final 9/19/2012
EO 877 CSU Executive Order - Health Care Portability and Accountability Act of 1996 EO Final 4/14/2003
ICSUAM 8045.S301

CSU Boundary Protection

Standard Final 3/3/2014
ICSUAM 8020.0 CSU Information Security Risk Assessment Policy Final 4/19/2010
ICSUAM 8020.S000 CSU Information Security Risk Management - Exception Standard Standard Final 6/4/2015
ICSUAM 8020.S001 CSU Information Security Risk Management - Risk Assessment Standard Standard Final 7/13/2015
ICSUAM 8045.S200

CSU Malicious Software Protection

Standard Final 3/3/2014
ICSUAM 8045.S300

CSU Network Controls Management (public) (intranet)

Standard Final 7/16/2013
ITS-1018-G ID Theft Prevention Guidelines Guideline Final 8/26/2009
ITS-1028-G User Guidelines for HIPAA Compliance Guideline Final 2/28/2013

Applicable Federal Laws and Regulations

TOP

Applicable California State Laws and Regulations


Other Resources

TOP